I have recently worked on an IT Security Improvement project focusing closely on the NIST framework, therefore I would like to present it to you and explain why it is so important in cyber security.
In a nutshell, by auditing your organisation using the NIST framework you will be able to assess the level of security awareness and overall risk management capabilities, idientify gaps and areas of improvement and set yourself a roadmap to achieve a higher Tier score. Tier Level 3 is a good level to aim for.
What is NIST?
The NIST Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology based on existing standards, guidelines, and practices. As an organisation NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public.
This cybersecurity framework is for organizations of all sizes, sectors and maturities.
Framework Structure
The core lays out high-level cybersecurity objectives in an organized way, using non-technical language to facilitate communication between different teams. At the highest level, there are five functions:
- Identify — Determining the cybersecurity risks to all company assets, including personnel, systems and information
- Protect — Implementing systems to safeguard the most vital assets
- Detect — Spotting active cybersecurity events that could pose a threat to your environment
- Respond — Taking action against threats to prevent or mitigate damage
- Recover — Restoring capabilities or services damaged by a threat
Each function is divided into categories, as shown below. There 23 NIST CSF categories in all.
NIST Tiers
The Framework Implementation Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk
The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization. Organizations should consider leveraging external guidance obtained from Federal government departments and agencies, Information Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to assist in determining their desired tier. (source NIST framework, 2014)
- Partial: Standard process does not exist.
- Risk Informed
- Repeatable:
- Adaptive:
Challenges
Now that we understand what is NIST and how it can help assesing your organisation, I will share challenges and blockers I have faced when working on this implementation:
- framework documentation available online is not well detailed, kept at very high level. Should you want to explore more in detail the 23 CSF items, you will struggle to find information or knowledge on these specific subjects.
- hiring a NIST specialist or a consulting firm to help you on your NIST journey can be expensive
- getting a NIST audit is also a very expensive service and may not be affordable unless your organisation has large security budgets available
Have you worked with NIST? how did you manage and where did you struggle? I would love to hear from you.